Presentations

Keynote

Binary Instrumentation of Programs

Binary instrumentation is a tool for understanding the dynamic
behavior of programs by observing its execution with injected code.
Security researchers use binary instrumentation tools to understand program and
malware behavior.
Taint analysis is one example.
so the talk would be about the capabilities of
pin and I will connect it to security/privacy related ideas. The talk
would be interesting to people interested in analyzing behavior of
applications and developing their own tools.

Mozilla Secure World: Simple Ways to Secure Your Website

MozSecWorld is a web security reference site. It can teach you simple ways that you can make your own websites more
secure. You'll learn through diagrams, explanations, and best of all, live demos! :) If you are a web developer, you might
find the open-source code for each demo helpful too.

OWASP Mobile Top 10 Risks

This presentation will feature the recently unveiled, official OWASP Mobile Top 10 Risks. As
many agree that mobile application security is in its infancy, this list is intended to help
developers and organizations prioritize their security efforts throughout the development
life cycle. Many of the same mistakes made over the past decade in other areas of application
security have managed to resurface in the mobile world. There have also been many new
security challenges introduced by mobile applications and platforms. Through the OWASP Mobile
Security Project, the primary goal is to enhance the visibility of mobile security risks just
as OWASP has successfully done for the web.

As the attack surface and threat landscape for mobile applications continues to rapidly evolve, arming developers with
the tools they need to succeed is essential. Each environment presents very unique and different risks to consider. Our
research and findings will be presented from a platform agnostic perspective.

The Perils of JavaScript APIs

Client-side development with JavaScript has grown significantly thanks to Ajax, the plethora of JavaScript libraries such
as jQuery, and powerful JavaScript engines such as Google's V8. With the rapid push for HTML5 and the emergence
of Node.js, JavaScript has become paramount. However, we are starting to move away from the same-domain
policy. Currently, the XMLHttpRequest object in the latest versions of Chrome and Firefox now supports cross-domain
communications to a degree. HTML5 has also introduced a number of features including WebWorkers, cross-document
messaging, and WebSockets that are JavaScript-heavy and have raised a number of security issues. This presentation
will also delve into the best practices of rendering and parsing JSON, the security woes surrounding WebGL, and the
state of creating and running a Node.js web server

Preventing Web App Data Breaches by data tagging

Data breaches through Web application vulnerabilities have become
particularly rampant. Point solutions -- for example, a Web
Application Firewall that scans requests destined to the Web app --
can only stop a limited number of attack patterns, and do not provide
any protection from a breach once a vulnerability is eventually
exploited. We have been researching a complementary approach to
prevent breaches, based on the idea that if sensitive data is tracked
closely enough, an organization can prevent breaches without worrying
about Web application vulnerabilities that lead to breaches.

We have designed a system, Pedigree, that associates tamper-proof tags
with database records and files, and uses an OS-level module to track
the flow of tagged data through the various components of a Web
application. Pedigree also tags network data, ensuring that a simple
firewall or switch can identify the provenance of a flow using the tag
on its packets. Thus, the firewall can choose to permit a flow that
is a response for an authorized Webapp user request to pass through
it, while denying flows that are unauthorized and likely correspond to
malicious exfiltration requests (e.g., an SQL injection).

In this talk, I will present the architecture of Pedigree and describe
how Pedigree might be integrated with existing Web application
frameworks and firewalls.

Reversing Web Applications

Information gathering is not only the first step, but perhaps the most important repeated process within penetration testing.
How well a tester is capable of learning the characteristics and nuances of an application can make all the difference in
comprehensive testing and sophisticated attacks. Information gathering is far more than merely mapping an application.

This talk focuses on common pitfalls and misconceptions of information gathering, and how we can approach it better. Using
strategies from reverse engineering and forensics, we will learn the skills and tools needed to find evidence, grok what it
means, so that we can ensure ensure consistent & comprehensive understandings of how a site works. Specific things that will
be covered include: Anti-patterns, learning behaviors of an application, reading exceptions between the lines, finger printing a
website beyond HTTP headers, creating a working API for scripted attacking, and content discovery beyond throwing massive
wordlists at the wall.

Tools which support these tasks, and counter measures that make this more challenging will be discussed throughout the talk.

Secure mobile application architecture

With the ever increasing market for smart phones, application developers and consumers are making
a mad dash for the mobile application architecture. Much like the race to the web many are ignoring
the security lessons previously learned and are creating a new avenue of attack which puts individuals
as well as organizations at risk. Focusing on the two major players in this space, Apple iOS and Google
Android, this talk will focus on the types of issues common to mobile apps and will provide advice for
both smart phone owners as well as application developers on how they can protect the data which is
being entrusted to these devices.

There’s an App for That

Theoretically, the security industry knows that mobile phones are an exposed attack surface. Practically,
there has been very little attention paid to the subject. As an introduction, the resources that a
mobile phone can provide to a hacker will be explained. These include persistent internet connections
(providing an entry point to any physically near network) and a low profile(which assists in evading both
physical security). Next, discussion will focus on the construction of the proof of concept: using chroot
jails with qemu files compiled for the ARM processor architecture. With the proof of concept model in
hand, the presentation will include discussion of practical threat modeling demonstrating the usage of
the above benefits. Threats discussed in depth: -a targeted cyber attack/penetration test, leveraging
a mobile phone as an entry point -using the phone as part of a less focused campaign to compromise
poorly protected personal resources such as laptops or other mobile phones in coffeeshops. To
conclude, focus will be placed on further work. Potential opportunities for further research include
packaging the qemu files necessary to run an emulated Linux environment as a payload.

WAFs - An Overview of Free Web Application Firewalls

Web application firewalls (WAFs) are an additional security layer that can help protect against 'some' common attacks as
from the OWASP top ten security risks list. By customizing the rules to your applications, many attacks can be identified
and thwarted. However, this requires significant effort with testing and maintaining application change control.
Participants will come away with the basics of web application firewalls, differences, best practices and learn some
common characteristics of using them.